public string GetCommandLine() { PROCESS_BASIC_INFORMATION pbi; int size; NtQueryInformationProcess(pGame.Handle, 0, out pbi, Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), out size); IntPtr pebAddress = (IntPtr)pbi.PebBaseAddress; String commandLine = null; if ((uint)pebAddress != 0) { byte[] PEBData; ReadBytes(pebAddress, Marshal.SizeOf(typeof(PEB)), out PEBData); PEB peb = ByteArrayToStructure <PEB>(PEBData); IntPtr infoblkAddr = (IntPtr)peb.InfoBlockAddress; byte[] data; ReadBytes(infoblkAddr, Marshal.SizeOf(typeof(INFOBLOCK)) * 100, out data); INFOBLOCK infoBlock = ByteArrayToStructure <INFOBLOCK>(data); byte[] commandlineString; ReadBytes(infoBlock.commandLineAddress, 0x1000, out commandlineString); commandLine = Encoding.Unicode.GetString(commandlineString); try { commandLine = commandLine.Substring(0, commandLine.IndexOf("\0")); } catch { commandLine = ""; } } return(commandLine); }
/// <summary> /// Program entry point. /// </summary> /// <param name="args">Command line arguments.</param> static void Main(string[] args) { Span <byte> asm = stackalloc byte[10] { 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60] 0xC3 // RET }; IntPtr PEBAddressPtr = IntPtr.Zero; lock (Mutex) { using MemoryMappedFile MemoryMap = MemoryMappedFile.CreateNew(null, asm.Length, MemoryMappedFileAccess.ReadWriteExecute); MemoryMappedViewAccessor MemoryMapAccessor = MemoryMap.CreateViewAccessor(0, asm.Length, MemoryMappedFileAccess.ReadWriteExecute); // Get address of the memory region IntPtr RWXRegionAddressPtr = MemoryMapAccessor.SafeMemoryMappedViewHandle.DangerousGetHandle(); Debug.Assert(RWXRegionAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the RWX memory region."); // Inject code Marshal.Copy(asm.ToArray(), 0, RWXRegionAddressPtr, asm.Length); Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 0) == 0x65, "[-] Error while injecting code."); Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 9) == 0xC3, "[-] Error while injecting code."); // Get delegate GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(RWXRegionAddressPtr); PEBAddressPtr = GetPEB(); Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure."); } // Pull the structure out of memory PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr); Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory"); } }
/// <summary> /// Program entry point. /// </summary> /// <param name="args">Command line arguments.</param> static void Main(string[] args) { Span <byte> asm = stackalloc byte[10] { 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60] 0xC3 // RET }; // Allocate memory IntPtr lpAddress = VirtualAlloc(IntPtr.Zero, asm.Length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); Debug.Assert(lpAddress != IntPtr.Zero, "[-] Error while allocating memory: kernl32!VirtualAlloc."); // Write asm in memory Marshal.Copy(asm.ToArray(), 0, lpAddress, asm.Length); // Change memory permissions Int32 lpflOldProtect = 0; bool success = VirtualProtect(lpAddress, asm.Length, PAGE_EXECUTE_READ, ref lpflOldProtect); Debug.Assert(success || lpflOldProtect == 4, "[-] Error while changing the memory permissions of the allocation memory."); // Create delegate GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(lpAddress); IntPtr PEBAddressPtr = GetPEB(); Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure."); // Pull the structure out of memory PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr); Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory"); } }
public GameSharpProcess(Process process) { Native = process ?? throw new NullReferenceException("process"); NativeHandle = Native.Handle; MainModule = Native.MainModule; Is64Bit = IntPtr.Size == 8; PEB = new PEB(this); }
private GameSharpProcess() { ExceptionService.Initialize(); Native = Process.GetCurrentProcess(); NativeHandle = Native.Handle; MainModule = Native.MainModule; Is64Bit = IntPtr.Size == 8; PEB = new PEB(this); }
/// <summary> /// Anti-anti-debugging methods are placed in here /// </summary> private void HideDebugger() { PEB peb = Process.PEB; if (peb.IsValid) { //peb.BeingDebugged = false; //peb.NtGlobalFlag = 0; } }
private static string[] TestGetProcessWorkingDirectory(string image) { List <string> ret = new List <string>(); Process[] ps = Process.GetProcessesByName(image); foreach (Process p in ps) { Console.WriteLine($"{p.ProcessName} pid: {p.Id}"); IntPtr handle = OpenProcess(p, ProcessAccessFlags.All); IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size); IntPtr outLong = Marshal.AllocHGlobal(sizeof(long)); Console.WriteLine($"handle: {handle}"); int _ = NtQueryInformationProcess(handle, 0, pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong); if (_ != 0) { Console.WriteLine($"Error {ret}"); break; } PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi); Console.WriteLine($"peb: {pbi.PebBaseAddress}"); IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size); ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong); PEB peb = Marshal.PtrToStructure <PEB>(pPeb); IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size); ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong); RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp); IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2); RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2); ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong); string cwd = Marshal.PtrToStringUni(pStr); if (!String.IsNullOrEmpty(cwd)) { ret.Add(cwd); } Console.WriteLine($"cwd: {cwd}"); CloseHandle(handle); Console.WriteLine(); } return(ret.ToArray()); }
private static List <string> GetProcessWorkingDirectoriesByImageName(string image) { List <string> result = new List <string>(); Process[] ps = Process.GetProcessesByName(image); foreach (Process p in ps) { IntPtr handle = OpenProcess(p); IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size); IntPtr outLong = Marshal.AllocHGlobal(sizeof(long)); int ret = NtQueryInformationProcess(handle, 0, pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong); if (ret != 0) { continue; } PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi); IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size); ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong); PEB peb = Marshal.PtrToStructure <PEB>(pPeb); IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size); ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong); RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp); IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2); RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2); ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong); string cwd = Marshal.PtrToStringUni(pStr); if (!String.IsNullOrEmpty(cwd)) { result.Add(cwd); } CloseHandle(handle); } return(result); }
public static bool Apply(IntPtr hProcess, string path = null, string cmdLine = null, string CurrentDirectoryPath = null) { if (hProcess == null || hProcess == IntPtr.Zero) { return(false); } try { // default Varametrs uint len; // get PROCESS_BASIC_INFORMATION var info = new PROCESS_BASIC_INFORMATION(); NtQueryInformationProcess(hProcess, 0, out info, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), out len); // get PROCESS_BASIC_INFORMATION var peb = new PEB(); ReadProcessMemory(hProcess, info.PebBaseAddress, (IntPtr)(&peb), (uint)Marshal.SizeOf(typeof(PEB)), out len); // get RTL_USER_PROCESS_PARAMETERS var psParam = new RTL_USER_PROCESS_PARAMETERS(); ReadProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len); // patch WriStr(hProcess, ref psParam.ImagePathName, path); WriStr(hProcess, ref psParam.CommandLine, cmdLine); WriStr(hProcess, ref psParam.CurrentDirectoryPath, CurrentDirectoryPath); // reflecet Changes return (WriteProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len)); } catch (Exception) { return(false); } }